A fix is available
APAR status
Closed as program error.
Error description
The customer experienced a CSQX620E CSQXRCTL System SSL error message. . CSQX620E +cpf CSQXRCTL System SSL error, channel DQMSSL.CSQF.TO.MQGP, connection MQxxx (xxx.xxx.xxx.xxx) function 'gsk_secure_socket_misc' RC=410 CSQX599E +cpf CSQXRCTL Channel DQMSSL.CSQF.TO.MQGP ended abnormally IEA041I SDUMP SCHEDULED FOR REMOTE SLIP TRAP ID=GSK2 FROM SYSTEM XX . The "410 - means SSL message format is incorrect" . From the dump, you can see that the channel is sending an SSL handshake flow to the partner system, and receives a response which is 0x45 bytes long. . SSL reads the first 5 bytes of the flow (to determine the flow type and data length), and then requests the subsequent 0x40 bytes to complete the handshake. . The internal buffering code detects that the fResetComplete flag has been enabled and so it does not return the remainder of the buffer to SSL (but keeps it buffered) and the handshake is not completed. SSL interprets the lack of data as a socket-closed error and returns RC 420. . This socket-closed is then interpreted as an end-of-key-reset, and the channel carries on sending data to the partner. . After the next batch of messages is sent, and the channel issues a recv, anticipating a response to the recently sent confirm flow. Instead because the partial 0x40 bytes of data is still buffered, this is given the the SSL read call, which examines the first byte, determines that the 0x1E content-type is invalid, and returns error 410 (GSK_ERR_BAD_MESSAGE) and the channel is terminated as a result.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of WebSphere MQ for z/OS Version 7 * * Release 0 Modification 1. * **************************************************************** * PROBLEM DESCRIPTION: SSL channels may terminate with message * * CSQX620E System SSL Error. * **************************************************************** * RECOMMENDATION: * **************************************************************** When using the SSL Key reset feature for SSL channels, a channel may rarely terminate, issuing message CSQX620E. This is caused by internal monitoring of the reset sequence misinterpreting some encrypted data content as an SSL header.
Problem conclusion
SSL channel reset processing has been amended so that it always checks that it is examining an SSL header, rather than the encrypted body, when monitoring for the end of an SSL key reset. 010Y AMQCCIHA CSQXCCIH CSQXGIOC
Temporary fix
Comments
APAR Information
APAR number
PM54740
Reported component name
WMQ Z/OS V7
Reported component ID
5655R3600
Reported release
010
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2011-12-20
Closed date
2012-02-10
Last modified date
2013-12-10
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
PM57537 UK76069
Modules/Macros
AMQCCIHA CSQXCCIH CSQXGIOC
Fix information
Fixed component name
WMQ Z/OS V7
Fixed component ID
5655R3600
Applicable component levels
R010 PSY UK76069
UP12/02/24 P F202
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0.1","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
10 December 2013